Cybersecurity research and analysis from CodeHunter. Covering execution risk, behavioral intent, and the defense strategies that matter before code ever runs.

Abstract digital security visualization representing software execution activity and the need to verify and control code behavior before it runs

Malware-as-a-Service: A Top Threat to Organizations in 2024

/in , , , /by

What is Malware-as-a-Service?

Malware-as-a-service (MaaS) poses a serious threat to enterprise organizations. MaaS functions much like any other software-as-a-service you may be familiar with, and in some cases even comes with technical support. Hackers develop complex malware systems that can be easily purchased by even the most novice of cybercriminals, who can then launch sophisticated attacks against individuals and businesses. Malware-as-a-service democratizes cybercrime, providing any run-of-the-mill criminal with the expertise of an experienced hacker, drastically increasing the average strength and sophistication of a malware attack.  Read more

Abstract red digital trend illustrating rising operational risk and the consequences of failing to control software execution before code is allowed to run

If We Really Cared About the Cybersecurity Talent Shortage…

/in , /by

…We Wouldn’t Make Cybersecurity Jobs So Hard To Fill

The cybersecurity industry is booming with job openings, but organizations don’t have the talent to fill them. Over a third of the 1.8 million cybersecurity jobs in the U.S. go unfilled due to lack of skills and expertise — generating a talent gap that could fill Yankee Stadium thirteen times over. (That’s 18 times the amount of seats in Fenway Park for you Red Sox fans.)

Meanwhile, cyberattacks keep increasing in frequency and sophistication. By 2023, the number of global malware attacks is projected to reach over 1.4 billion — and that’s just known malware. It’s impossible to predict the real impact of new threats in the years to come.

With such an overwhelming demand for talent and innovation, you would assume that the path to employment would be streamlined. But that’s far from the reality.

The cybersecurity industry is difficult to break into, workers report high levels of burnout, and too few employers offer room for career advancement. Without industry-wide solutions to bridge the talent gap, cybersecurity teams won’t keep up with rapidly evolving threats.

Barriers to Entry

Most cybersecurity positions require at least a bachelor’s degree and three or more years of experience. That includes entry-level positions. Meanwhile, computer science has one of the highest dropout rates in higher education, meaning fewer potential candidates are heading into IT in the first place, let alone cybersecurity.

Assuming a potential new hire has graduated with a bachelor’s degree in computer science — and even with a cybersecurity certificate or two — landing a cybersecurity job worth the effort is a difficult task. Breaking into the cybersecurity field is often unclear, and navigating a cybersecurity career path can be just as confusing.

Cybersecurity is constantly changing and evolving to face the latest threats and meet new and stricter standards. That means the learning curve gets steeper and more complex with time. It’s harder for every fresh wave of college grads to gain a foothold. And when they do, the workload is heavy and demanding, with too few rewards to keep skilled workers around for the long haul.

Overwork and Burnout

The people who do manage to break into the industry often find that it’s a far more demanding job than they might have anticipated. Notorious for overwork and burnout, cybersecurity jobs are not for the faint of heart. Cybersecurity professionals are often ignored when things go right and villainized when things go wrong.

CodeHunter CEO Larry Roshfeld applies this exhausting thought to the cybersecurity industry as a whole: “The thing about being responsible for cybersecurity is that we know we can’t win; the best we can ever hope for is not to lose.”

The fatigue that comes with this line of work shows in the numbers. Over half of surveyed IT security professionals said they or someone they knew left their job due to overwork and burnout or worked with someone who has. Additionally, 60% of employers report difficulties retaining qualified cybersecurity professionals.

These obstacles have created a skills gap that’s become increasingly difficult — and increasingly urgent — to overcome. If there aren’t enough opportunities for new hires to learn and grow, the current generation of cybersecurity professionals won’t have anyone to pass the baton to.

We Need a Culture Shift

Employers must balance expectations, workers’ well-being, and industry demands from multiple angles. To lead the way, the cybersecurity community can do the following:

  • Promote cybersecurity training in local colleges offering computer science programs.
  • Provide internships that offer meaningful experience in the cybersecurity field and help prospective cybersecurity professionals get ahead as quickly as possible.
  • Hire for top talent potential (as opposed to current skill levels), and provide the support and training to reach that potential.
  • Upskill and reskill current employees and promote from within while regularly freeing up entry-level positions.
  • Train all employees on cybersecurity best practices, compliance, and managing risk factors on a routine basis throughout the organization to share the burden of responsibility.
  • Look for exceptional soft skills in addition to tech skills — especially in management positions. Over half of ISACA’s survey respondents report a significant gap in soft skills in the cybersecurity industry.
  • Offer flexibility with scheduling and consider what employees need for a healthy work-life balance. This helps prevent burnout and attracts new talent.
  • Foster diversity. Employers who create a welcoming environment for everyone are recruiting from a larger talent pool, and are at less risk of high turnover.
  • Market the critical mission of cybersecurity: we make a difference by protecting people and organizations from cyber threats, big and small. The work is constantly evolving — and never dull.

Unfortunately, We Don’t Have That Kind of Time

While all of the above would set up the cybersecurity industry for a brighter and more robust future, none of those things will make a difference overnight — and we still need viable solutions now.

Even if we could hire armies of well-trained cybersecurity professionals, we would still be outnumbered by constantly evolving threats and increasingly sophisticated cyberattacks. We need solutions that help workers efficiently face threats at scale — and we needed them yesterday.

CodeHunter helps bridge the talent (and numbers) gap in cybersecurity with automated threat detection and analysis. It rapidly identifies otherwise undiscoverable threats and saves organizations precious time to discovery, resources, and man hours.

Learn more about the scale of the issue and how CodeHunter can help tackle it.

 Or check out these other resources to learn more about how CodeHunter combats the rising threat of malware

  • CodeHunter Enterprise is currently available. See how your organization’s needs align with CodeHunter’s advanced capabilities.
  • Learn all about advanced malware and why it’s one of cybersecurity’s greatest threats.
  • Understand how CodeHunter automates threat detection and analysis to make threat discovery and prevention accessible to cybersecurity teams of all experience levels.
Abstract cybersecurity illustration highlighting widespread device exposure and the risk of unauthorized software execution across connected systems

7 IoT Medical Devices That Are Hackable

/in , /by

Security Flaws in Patient Medical Devices Put Lives at Risk

Advances in the IoT medical devices market are rapidly innovating how we treat patients, often to a remarkable effect. Layering robotics with medicine and factoring the Internet of Things (IoT) into patient monitoring has opened up a new world for medical treatment, supporting remote patient care. The healthcare IoT market surged throughout the pandemic — and is expected to rise at a rate of 25.9% to $446.52 billion by 2028.

However, there’s a catch: Many IoT medical devices are hackable, and compromised devices can lead to catastrophic patient outcomes.

Escalating Cyber Risks: IoT Medical Devices Connected to Outdated Operating Systems

While advanced IoT devices change how patients receive care, recent history sheds light on escalating cyber risks. In 2017, WannaCry ransomware infiltrated outdated Windows systems, entering 70,000 devices across National Health Services hospitals in England and Scotland. Ambulances stalled, hospitals closed, and patient monitoring was disrupted, delaying care and threatening lives.

Lessons from history are often repeated — and sometimes escalated. Gartner predicts that by 2025 attacks on operational technology (OT) environments linked to medical IoT devices will be hacked and weaponized during cyberattacks with the intent to cause physical harm or even death — costing over $50 billion per year.

Just a Few Examples of Hackable IoT Medical Devices

Keeping a close eye on IoT medical devices and their cybersecurity risks is a matter of life or death.

Tread cautiously with these seven IoT medical devices:

1. Next-Generation Teleoperated Surgical Robots: The Raven II

In 2001, Professor Jacques Marescaux used telesurgery and robotics from his offices in New York to perform a cholecystectomy on a 68-year-old woman in France. Since then, experts in robotics and medicine have worked around the clock to make telesurgery a viable option for anyone.

While telesurgery and robotics are most often used while the surgeon is in the same room as the patient, operating over a secure hardwire, surgeons will eventually use them to intervene during situations that are unsafe for humans (like battle scenes, chemical fires, earthquake rescue missions, and pandemics). But there’s a catch: Treatment will likely occur over insecure networks — and cybercriminals can easily infiltrate them. During research at the University of Washington, The Raven II, a telesurgery robot, was easily hacked. Even a tiny interference could have deadly consequences in actual practice.

2. Infusion Pumps: The B. Braun Infusomat Space Large Volume Pump and B. Braun SpaceStation

Imagine you’re lying in a hospital bed after surgery, blissfully unaware of your body’s distressed state thanks to the IV drip of painkillers. And then you suddenly wake up to excruciating pain because someone hacked into the network and shut off the infusion pump — or even worse, you don’t wake up at all because a hacker doubled the rate of flow.

Cybersecurity researchers revealed vulnerabilities that could lead to such an overdose when they hacked into the B. Braun Infusomat Space Large Volume Pump and B. Braun SpaceStation. Ironically, these IoT devices have a locked-down software design with thoughtful security features that are intended to keep patients safe from hackers. Researchers found an easy loophole: They hacked into the hospital’s network and exploited a common connectivity vulnerability, which allowed them to compromise the security of the B. Braun infusion pumps. “Successful exploitation of these vulnerabilities could allow a sophisticated attacker to compromise the security of the Space or compact plus communication devices, allowing an attacker to escalate privileges, view sensitive information, upload arbitrary files, and perform remote code execution,” announced B. Braun in a security statement.

3. Insulin Pumps: Medtronic and Johnson & Johnson

Medical device company Medtronic issued an urgent recall of their insulin pump controllers thanks to researcher Jay Radcliffe discovering connective vulnerabilities, potentially allowing an attacker to overdose the user. And it’s not the first time hackers have exploited vulnerabilities in Insulin Pumps: Back in 2016, Johnson & Johnson announced that one of its insulin pumps could be hacked, possibly overdosing the patients. The solution? Users were asked to disable a remote control feature, patch a vulnerability, and program the device using a maximum insulin release setting. (Now imagine your grandparent was using the insulin pump, and had to take each of those steps to stay safe.)

4. Imaging Devices: GE Imaging and Ultrasound Devices

According to the 2020 Unit 42 IoT Threat Report, a shocking 83% of hospital imaging devices run on unsupported operating systems — an easy entry point for malicious actors.

In 2020, researchers from CyberMDX found critical vulnerabilities attributed to default global credentials used in management software that affected over 100 radiology tools from GE (including molecular imaging devices, mammography devices, MRI machines, CT and PET Scans, advanced visualization, ultrasounds, and X-rays). “Successfully exploiting the vulnerability may expose sensitive data — such as protected health information (PHI) — or could allow the attacker to run arbitrary code,” researchers explained. And this could “impact the availability of the system and allow manipulation of PHI.”

5. Health Monitors: IntelliVue Information Center iX (PIIC iX) Developed by Philips

Several months ago, researchers at Nozomi Networks Labs discovered five new vulnerabilities in patient monitoring systems. Health monitors track a patient’s vitals and alert staff should anything go wrong — and these monitors are particularly vulnerable to attacks because they’re connected to the more extensive communications network and have large attack surfaces. A hacker could change settings, obscure the displayed data, or silence alarms, leaving patients in urgent need without help.

6. Digital Smart Pens

Doctors use digital smart pens to prescribe medications and then swiftly transmit them to pharmacies — along with a patient’s sensitive information, including their name, address, and health records. Security researcher Saurabh Harit of Spirent SecurityLabs revealed that it’s entirely possible to reverse-engineer the pen and uncover all that information. Even worse, a digital smart pen could serve as an entry point into a larger operating system — and cybercriminals could potentially access databases with patient records.

7. Implantable Cardiac Devices: Pacemakers

The U.S. Department of Homeland Security released a medical advisory statement exposing the vulnerabilities in several pacemaker models. Dick Cheney famously had his pacemaker modified back in 2007 to protect against a virtual assassination.

Hospital staff can protect themselves and their patients by following cybersecurity hygiene basics, keeping software and virus protection up-to-date, running vulnerability assessments and adopting zero-trust policies, modernizing legacy systems, training staff on cybersecurity best practices, and following the FDA’s Medical Device Safety Action Plan.

Red digital padlock formed from code, representing secure control over software execution and the importance of verifying behavior before code is allowed to run

The True Cost of a Data Breach in 2022

/in , /by

Escalating Cyberattacks Impact More Than A Company’s Bottom-Line

 Data breaches cost organizations millions of dollars: The average price tag is up 10% from 2020 to $4.24 million across all industries and up 29.5% to $9.23 million in healthcare — and the fallout is even more damaging than the initial losses. The remediation costs triple the initial damages, and legal repercussions can add millions to the total bill.

Why Do Data Breaches Happen?

 Despite advances in cybersecurity, it’s far too easy to steal data: Human error accounts for 85% of data breaches (often the result of a mere phishing email). Malware, application vulnerabilities, and stolen credentials or devices make up the difference.

Data breaches aim to steal confidential information — mostly for financial gain and sometimes just for the thrill of exposing organizations. Once an intruder has access to sensitive data, they may hold data for ransom or sell passwords and customers’ PII on the Dark Web.

What Is the Cost of a Data Breach?

According to the IBM Security Cost of a Data Breach Report 2021, the average cost of a data breach in 2022 is $4.24 million. But where do these totals even come from? And what other damage is done?

The IBM report breaks down the totals into four distinct categories:

1. Lost Business Costs

$1.59 million is the average cost of lost business — including increased customer turnover, lost revenue from downtime, damaged reputation, and lost opportunities.

2. Detection and Escalation

$1.24 million is attributed to the work that goes into detecting a breach and dealing with the immediate fallout. Specifically, this price tag includes the cost of investigation, auditing, crisis management, and internal communications.

3. Notification

$270,000 is the average cost of reporting the breach to customers, regulators, and outside experts.

4. Post-Breach Response

The post-breach response drains an additional $1.14 million from the bank. Organizations face increased customer service demands, regulatory fines, and legal expenditures in the weeks, months, and even years following an attack.

Additional Costs: The True Consequence of a Data Breach

While the average cost of a data breach is unsettling enough, there are additional costs to consider. Variables such as time to discovery, the number of records exposed, whether or not ransomware is a part of the attack, major legal fallouts, and ongoing losses attributed to a tarnished reputation can shutter a business overnight.

  • Time to Discovery: It takes 287 days for most victims to identify and contain a data breach. The longer an intruder has access to data, the more records they can steal.

  • The Number of Records Exposed: The average stolen customer record costs organizations $161. A mega breach of more than 50 million records costs 100x more than the average data breach — rapidly approaching half a billion dollars.

  • Ransomware Costs: A ransomware breach adds 10% to the total bill increasing the average cost of a data breach to $4.62 million.

  • Legal Repercussions: The average bill for a data breach goes up to $5.65 million at organizations with a high level of compliance failures, compared to $3.35 million where compliance failures were low. Lawsuits over data breaches are increasingly common, so tightening up security and following protocol is not just smart — it’s necessary.

  • Reputation: Can you put a price tag on reputation? A company’s brand and reputation drive business as much as its products and innovations. 83% of US consumers claim they keep their distance from a company that has suffered a data breach — and an additional 21% say they abandon it altogether.

How can I prevent a data breach?

As we’re seeing ransoms skyrocketing, remediation draining revenue, and public opinion becoming increasingly unforgiving, the business landscape will soon become uninhabitable for the unprepared. Educating your staff and overseeing compliance with cybersecurity protocols is critical to your business’s survival. Start with the following:

  • Limit access to valuable and vulnerable data: The fewer people with credentials, the less chance those credentials will be compromised.

  • Keep software up to date: Take inventory of each system and the updates they require. Create a routine to stay consistent.

  • Destroy before disposal: Before confidential materials are thrown away, be sure they’re thoroughly destroyed. Shred papers and permanently delete data from devices like laptops, phones, and old hard drives.

  • Educate employees on cybersecurity best practices: Use unique passwords, do not share credentials with anyone, report suspicious emails, and do not use company devices for personal use. All it takes for a malicious actor to access company software is one innocent-looking link in an email.

  • Create an incident response plan: The more you drill, the faster your response.

Having a playbook in place in the event of a breach can help you act quickly, minimize damage, avoid unnecessary fines, and save millions of dollars. Take care of your security systems so that they take care of you — and your revenue.

Read More: What You Need to Do After a Data Breach

CodeHunter brand mark representing Zero Trust for Code and pre-execution control over what software is allowed to run

How the U.S. Is Raising the Bar on Cybersecurity

/in , /by

“You have the power, the capacity, and the responsibility to raise the bar on cybersecurity,” President Joe Biden told a room full of executives and cabinet members in August. With news of spyware exposing sensitive government documents in the Homeland Security and Treasury departments — and hackers disrupting critical infrastructure, including food supply and the oil industry — leaders everywhere are using their power to level-up cybersecurity innovation, investments, and leadership.

The State of Cybersecurity: A Brief Overview

Biden’s remarks followed a series of well-publicized attacks in late 2020 and 2021 — including interference with the 2020 elections; the SolarWinds attack; a zero-day attack at Microsoft; ransomware affecting the Colonial Pipeline Company; and a separate ransomware incident that shut down large meat processing plants at JBS.

Cybersecurity pros and solutions often remain just one step ahead of the bad guys in the ever evolving race to secure bigger, more interconnected attack surfaces. But is one step ahead far enough? Alongside the well-publicized attacks mentioned above, there’s been a 600% increase in lesser-known cyber attacks over the past few years — and they’ve been far too successful. According to Canalys, bad actors seized more records in 2020 than in the last 15 years combined.

 

The Game is Changing. We Need More Players.

Imagine a nationstate exponentially increasing its landmass without a large enough army to secure its borders. This is the challenge facing the digital world. More people are connected than ever before, yet the digital landscape lacks the cybersecurity workforce, tools, and laws to keep up with rising demand. In fact, according to a recent report by (ISC)², nearly three million cybersecurity jobs are currently vacant. The cybersecurity industry simply lacks qualified candidates to fill important roles.

Despite these gaps in cybersecurity, more people around the globe are moving their personal, social, and business lives online. According to McKinsey & Company, “an estimated 127 new devices connect to the Internet every second.” Innovations in technology are enabling individuals and businesses across every sector to go digital at record speed. If anyone was lagging behind prior to 2019, they likely joined the cybersphere during the Covid-19 pandemic.

  

Outcomes: Raising the Bar

When the president asks, people listen — including some of the most powerful players in the tech industry. Here’s how tech execs and government leaders responded to the president’s request to raise the bar on cybersecurity, as reported by Reuters:

  • New Guidelines: The White House and the National Institute of Standards and Technology (NIST) will work collaboratively with tech industry leaders to come up with new guidelines for securing software and technological innovations.

  • Investments From Large Companies: Industry leaders committed financial and service-based pledges to raise the bar:

  • Amazon will train individuals on cybersecurity free-of-charge.

  • Microsoft will invest $20 billion in cybersecurity over the next 5 years and help local, state, and federal governmental agencies keep their systems and networks secure.

  • Google will spend $10 billion on cybersecurity over the next 5 years and offer cybersecurity skills training to over 100,000 people.

  • IBM will train 150,000 people on cybersecurity, and focus on diversity and inclusion in the tech industry.

  • New Laws: Congress will work to create new laws that regulate the tech world, including new consumer protection laws and policy to regulate cybersecurity insurance companies.

CodeHunter is joining the collective effort to raise the bar on cybersecurity by making the most powerful malware detection tool ever created. Plus, CodeHunter’s groundbreaking innovation was designed specifically to help address the talent shortage — you can easily compensate for cybersecurity resource constraints by using CodeHunter to automate your malware hunting and reverse-engineering efforts.